Thanks to Ansible you will be able to use Vaults to encrypt and hide passwords in your configuration files.

This is the last post in a series of 3 articles about Docker and Ansible:
Part I: from Docker Compose to Ansible
Part II: using variables
Part III: using vault to encrypt sensitive information

Create your vault

In order to create your vault :

$ ansible-vault create vault.yml
New Vault password:
Confirm New Vault password:

This will open your text editor.

Add your variable that be encrypted :

mysql_db_root_password: "secret_root"
mysql_db_password: "secret_user"

Put your vault in your playbook

We can use the playbook that we create in the previous post, but we will delete the mysql_db_password and mysql_db_root_password from the file and include the vault.yml :

---
- hosts: localhost

  vars_files:
    - vault.yml

  vars:
    docker_network: network_app
    mysql_db_name: db
    mysql_db_user: ghost
    mysql_db_host: db

  tasks:
  [...]        
  - name: Run Percona container
    docker_container:
      name: 'percona'
      recreate: true
      restart_policy: unless-stopped
      image: 'percona:latest'
      volumes:
        - "percona:/var/lib/mysql"
      env:
        MYSQL_ROOT_PASSWORD: "{{ mysql_db_root_password }}"
        MYSQL_DATABASE: "{{ mysql_db_name }}"
        MYSQL_USER: "{{ mysql_db_user }}"
        MYSQL_PASSWORD: "{{ mysql_db_password }}"
      networks:
        - name: "{{ docker_network }}"

And launch the playbook :

$ ansible-playbook deploy.yml --ask-vault-pass
Vault password:

That's it, now we have the sensitive information encrypted in the vault.yml.

Ressources :

https://docs.ansible.com/ansible/latest/user_guide/vault.html

Feel free to correct me if you see any typo or if something seems wrong to you.